A miner and the ClipBanker Trojan being distributed via SourceForge
Essential information
- Published
- 08/04/2025 19:06
- Modified
- 08/04/2025 22:10
- Tags
- 2025-04-08 autoit clipbanker cryptocurrency miner persistence powershell sourceforge
- Related entities
- 12 techniques (mitre), 1 malware, 1 others
Description
A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading a compressed archive containing malware. The infection chain involves multiple stages, including the use of password-protected archives, Visual Basic scripts, and PowerShell commands. The main payloads are a cryptocurrency miner and ClipBanker, a Trojan that replaces cryptocurrency wallet addresses in the clipboard. The campaign primarily targets Russian-speaking users, with 90% of potential victims located in Russia.